topic Thank you Jon, I will Do that in Network Security

NAT Issue ASA 9.1

Ejaz Ahmed — Tue, 12 Mar 2019 06:11:09 GMT

Hi Experts,

Please help me on this, I have upgraded my cisco asa from 8.2 to 9.1 version. I know that cisco made huge changes in NAT configuration. The firewall 8.2 is configured with lots static PAT and dynamic PAT lines. Now I am going to convert these lines to 9.1 format. I have successfully configured the static PAT line, which mainly doing the port forward (ie same port number on external and internal). But i got stuck in port redirection, it is not working for me. Please see the following lines that I configured my firewall

1. RDP connection to one of the internal machine from external

Object network Obj_RDP_192.168.1.10

host 192.168.1.10
nat (inside, outside) static x.x.x.x

access-list outside_inside extended permit tcp any host 192.168.1.10 eq 3389

The above lines are working for me. I can RDP to the machine 192.168.1.10 from external using the public IP x.x.x.x

Now see the below command which is not working for me:

2. RDP to another internal machine (Since the port 3389 already used for the first machine, I selected port 2000 here)

Object network Obj_RDP_192.168.1.11
1host 192.168.1.11
nat (inside, outside) static x.x.x.x service tcp 3389 2000

access-list outside_inside extended permit tcp any host 192.168.1.11 eq 2000

Please provide me a solution for the 2nd configuration line.

Regards,

Ejaz

EjazRDP to another internal

Jon Marshall — Fri, 26 Jun 2015 11:40:33 GMT

Ejaz

RDP to another internal machine (Since the port 3389 already used for the first machine, I selected port 2000 here)

I don't understand what you mean here. You are using a different public IP ie. y.y.y.y so why do you need to use a different port number ?

I am assuming y.y.y.y is another of your public IPs and part of the same IP subnet as x.x.x.x ?

That aside can you run -

"packet-tracer input outside tcp 8.8.8.8 12345 y.y.y.y 2000"

and post results.

Jon

Thanks for the response Jon.,

Ejaz Ahmed — Fri, 26 Jun 2015 11:52:01 GMT

Thanks for the response Jon., Sorry my bad its same public IP. We have only one static public which is configured in firewall's WAN interface.

Thanks and Regards,

Ejaz

EjazOkay, that's the problem

Jon Marshall — Fri, 26 Jun 2015 11:55:23 GMT

Ejaz

Okay, that's the problem.

Your first statement is a one to one mapping ie. it uses all ports so it never hits your second statement.

You need to rewrite your first statement to be a static PAT statement ie. like your second one but you can use port 3389 with the first statement, no need to translate the port.

Jon

Thank you Jon, I will Do that

Ejaz Ahmed — Fri, 26 Jun 2015 12:09:25 GMT

Thank you Jon, I will Do that.

Ejaz